Hi, I'm a newbie here need some guide...
I have this kind of rawtext :
2018 Apr 6 15:15:03:735 GMT +0700 BW.NISPJDBCSIBSGateway-1-NISPJDBCSIBSGateway-18-6 User [BW-User] TraceFlagTrue Job-6000 [NISPJDBCSIBS_Gateway/ProcessDefinition.process/Group/LogAfter]: Error148
When the data is forwarded to the Splunk server and search by it index, it was displayed the Time colum on this kind of format :
4/6/18 10:15:03.735 PM.
I've already tried to change it by modifying the ...\SplunkUniversalForwarder\etc\apps\learned\local\props.conf but still the Time Column not affected. I Change it like this :
TIMEPREFIX = ^
MAXTIMESTAMPLOOKAHEAD = 24
TIMEFORMAT=%Y %b %d %H:%M:%S:%3N
PREFIXSOURCETYPE = True
SHOULDLINEMERGE = False
LINEBREAKER = ([\r\n]+)
TRUNCATE = 999999
NOBINARYCHECK = true
TZ = UTC
is_valid = True
maxDist = 9999
Please help me.
Hi Gurav ... I've changed the props.conf on the server settings /opt/splunk/etc/apps/MyApps/default/props.conf, the place matches the configuration of the index I'm using.
TIMEPREFIX = ^
TIMEFORMAT = %Y %b %d %H:%M:%S:%3N
When I search it from splunk web, the Time column displayed in a correct time :
Time Column --> 4/10/18 9:38:03.735 AM
Raw Data --> 2018 Apr 10 09:38:03:735 GMT +0700 BW.NISPJDBCSIBSGateway-1-NISPJDBCSIBSGateway-18-6 User [BW-User] TraceFlagTrue Job-6000 [NISPJDBCSIBS_Gateway/ProcessDefinition.process/Group/LogAfter]: Error150 2018 Apr 6 15:16:03:735 HARJA4
But when I test it after 12 on the afternoon, the hours on Time column on splunk web displayed +7.
Help me here...
What is your Splunk webinterface set to, timezone wise? (see your account settings)
The time displayed by Splunk will always differ from the timestamp in the raw event, if the timezone of the event is different from the timezone you use to view Splunk. Splunk will present the time value in your timezone, regardless of the timezone in the raw event.
Assuming you view Splunk in GMT+7
You ingest data with 2018 Apr 10 15:42:03:735 GMT +0700
You tell splunk that data is in UTC timezone (which it isn't)
Splunk will interpret the timestamp from the raw event as UTC (GMT) timezone and then add 7h to calculate the time value that Splunk displays to you (assuming you have Splunk web interface set to show in GMT+7). This results in a time value of 4/10/18 10:42:03.735 PM
So unless there is something more at hand, I think you need to simply make sure splunk interprets the timestamps in your events correctly. So either set the
TZ to the correct value, or update the
TIME_FORMAT setting to also read the timezone from the event.